Wednesday, July 12, 2017

So far, Rendition has posted on the Kaspersky debate twice. In the first post, Rendition educated the public on why a software audit would not address the fears raised by the Senate. The second post explained the damage that any antivirus software could perform in a network if its operation were taken over by a foreign government. The second post is about more than just Kaspsersky - as Rendition made clear in the post, it could apply to any antivirus software.

Bloomberg's reports previously unknown Kaspersky involvement with Russian government
Yesterday, Bloomberg wrote an article claiming that Kaspersky is far deeper involved with Russian intelligence than was publicly known. At Rendition, we think parts of that reporting were careless, especially the interpretation of the words "active countermeasures." "Active countermeasures" is not an industry standard term, a pet peeve of Rendition's founder Jake Williams, who has spoken on the topic at various industry events. Bloomberg took the phrase "active countermeasures" to mean the following.

"Active countermeasures is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks.

We know of no such standard definition for "active countermeasures." Even if Bloomberg got this definition from an infosec expert, any expert worth quoting would have told Bloomberg that their definition was one of many and not "generally accepted" by the community. That this wasn't reported makes the whole article reek of bias - where there's smoke, there's usually fire.Kaspersky responds to Bloomberg
Eugene Kaspersky posted a retort that addresses the Bloomberg article point by point. Kaspersky calls out some of the obvious problems with the article, including talking around the point made above. But in his response, Kaspersky says something that is misleading if not outright false, and we think that needs to be addressed as well.

Tuesday, July 11, 2017

Recently we learned that the US Senate was pushing to add language to the National Defense Authorization Act (NDAA) that would prohibit the purchase and use of Kaspersky software anywhere in the DoD. This is nearly certainly a political move and CyberScoop’s Patrick Howell O’Neill did a great job of covering this story already from a political angle. It is entirely possible that the Senate’s statements about the NDAA are just political messages meant to rattle the sabers.

But should antivirus be part of your threat model? Perhaps it should. As Tavis Omandy has shown over the last year, antivirus software is often full of security vulnerabilities. This is especially concerning because antivirus runs with elevated privileges. And the elevated privileges make antivirus software so dangerous.

In considering this debate, it is important to consider the types of threats that antivirus software could pose if the vendor were subject to “influence” from a government. Obviously we are talking about this because of Kaspersky and the NDAA, but it is important to note that this any antivirus company could be subject to the same attacks. The risk is not only for antivirus companies that could be influenced – any software manufacturer with automatic updates could be used as an attack platform by a government. If one was hacked by an APT group (most likely a nation state), their customers would also be vulnerable (whether the software in question is antivirus or something else).